Score One for 3rd-party certification

An employee at ELEAD1ONE pretended to be a team of hackers who were threatening to release four dealerships' sensitive customer info, pulled from Reynolds and Reynolds, CDK Global and Dealertrack DMS data. In fact, the data was mundane, not sensitive, there was no real security breach, and the hoax was quickly ferreted out and resolved. The employee no longer works at eLead.

Reynolds, following its security protocols, temporarily cut off eLead's access to its DMS data, affecting around 1,000 dealers.

Despite the temporary inconvenience to those dealers, the incident could be seen as vindication of sorts for CDK and Reynolds. They can credit their relatively quick and efficient responses to the hoax to their controversial certification programs for third-party vendors. ELead is certified with both companies.

Craig Goodwin, CDK's chief security officer, says the company's Third-Party Access Program allowed it to confirm what was really happening in a timely manner. When CDK's examination of its own systems revealed no breaches, it found that the data came from eLead after probing its vendor ecosystem. CDK then reached out to eLead to learn what measures the company was taking.

Without that partnership in place, Goodwin said, CDK may not have been able to gauge the risk as effectively.

"What this proves is there has to be a collective approach to security," Goodwin told Automotive News. "You can clearly see the partner program we put in place helped us really quickly ascertain the nature of the data."

Reynolds said it immediately began a “technical and business analysis” when it heard of a possible breach.

The company narrowed the possible source of the breach to a single third-party vendor — eLead — by analyzing specific data fields from all of the vendors participating in the Reynolds Certified Interface program.

Vendors have complained loudly about the costly certification fees of CDK and Reynolds. Dealers, in turn, feel they are stuck in the middle as the costs get passed down to them.

Whether the prices the DMS companies charge other outfits for certification are fair remains open for debate. But last month's hoax shows the value of DMS companies knowing who is pulling what data through their systems.